The hard part of offboarding is the machine credentials
Disabling an account in your HR system when someone leaves takes five minutes. Slack, GSuite, and GitHub user accounts deprovision automatically if you have SCIM wired up. The hard part is the machine credentials they created and used — deploy tokens hardcoded into CI, AWS access keys issued under their name, service accounts inside Lambda functions, GitHub Personal Access Tokens minted once and forgotten.
These machine credentials keep working long after the human account is disabled. They show up on the dark web after an infostealer hits the departed employee's personal laptop, or stay in someone's 1Password vault and get reused by a new hire. In Cremit's analysis, roughly 60% of active NHIs in a typical organization have no clearly identifiable owner — and a large share of those are credentials originally created by employees who have since left.
Cremit's offboarding automation targets the machine credentials, not the human account. When an HR event fires, Cremit enumerates every NHI linked to that person and either revokes (if the credential is single-owner) or rotates (if it is shared and revoking would break a service).
Zero-risk employee offboarding
Instantly revoke all access when employees leave, eliminating security gaps
Instant Access Revocation
Revoke all API keys, service accounts, and credentials owned by departing employees with a single click.
Cross-Platform Offboarding
Remove access across AWS, GitHub, Azure, GCP, databases, and third-party services automatically.
Complete Audit Trail
Maintain detailed logs of all access revocations for compliance and security audits.
Scheduled Offboarding
Schedule access revocation in advance for contractors and temporary employees based on end dates.
Zero-Downtime Transition
Automatically rotate shared credentials after revocation to maintain service continuity.
HRMS Integration
Integrate with Workday, BambooHR, and other HR systems to trigger automatic offboarding workflows.
How it works
Automated offboarding in three simple steps
Detect Departure
Integration with HR systems automatically triggers offboarding workflow when an employee is marked as leaving.
Identify All Access
Cremit automatically discovers all API keys, credentials, and service accounts owned or accessed by the employee.
Revoke & Rotate
All access is instantly revoked, shared credentials are rotated, and complete audit logs are generated automatically.
Five ways offboarding goes wrong
Decompose real breaches and offboarding failures almost always fall into one of five shapes.
1. The Ghost Key — never deactivated
HR disables the human account but the AWS access key, GitHub PAT, and Datadog API token they issued remain active. The most common pattern; the typical credential outlives the employee by about 92 days.
2. The shared key nobody can rotate
A key was issued in one person's name but shared across the team of seven. Revoking it when they leave breaks seven workflows. The fix is rotation followed by redeployment, not revocation — but without automation that gets attempted once and abandoned.
3. The personal cloud account
An engineer registered a token to company infrastructure from their personal GitHub or AWS account. The company has no record the token exists. An infostealer hit on the personal laptop bridges directly into corporate resources.
4. Hardcoded in code or CI
The credential is embedded in git history or CI pipeline environment variables, so disabling a human account does not reach it. Catching this requires a credential inventory that covers git trees, .github/workflows, and CI config — not just IAM.
5. Unattributed — no owner mapping in the first place
You can only revoke a credential if it was mapped to that person at creation time. Many never were. There is no way to tell whether a given active key belongs to the departing employee or not. About 60% of active NHIs sit in this state in Cremit's data — and it is the single biggest blocker to automating offboarding at all.
What compliance requires vs. what actually happens
SOC 2, ISO 27001, PCI DSS, HIPAA — every framework has an access-termination control. The control usually says something like "all access revoked within 24 hours of departure, with an audit log retained." That gets enforced reasonably well for human accounts. It almost never gets enforced for machine credentials.
Audit season produces a report that compares HR termination dates against IAM deactivation logs — but that report rarely covers NHIs. Tokens in CI pipelines, service accounts inside Lambda functions, webhooks registered to Slack workflows survive outside the scope of what gets audited.
Cremit's offboarding automation closes that gap. The human-account deactivation event is the trigger; Cremit then enumerates every NHI mapped to that person, and logs which credentials were revoked vs. rotated. The evidence your next auditor wants accumulates automatically as a side effect.
Frequently asked questions
Do I still need this if I already have SCIM?
SCIM deprovisions human accounts (Slack, Okta, GSuite, etc.). It does not touch machine credentials — API keys, service accounts, CI tokens, certificates — which stay alive. Cremit does not conflict with SCIM; it handles the NHI layer that sits on top.
How fast does revocation happen?
The first revocation typically begins within 90 seconds of the HR event arriving. Shared credentials that need rotation are queued behind a safe deployment window (default 5 minutes) and then rotated automatically. Every step is logged for audit.
Which HR systems integrate?
Direct integrations with Workday, BambooHR, Rippling, Personio, Sapling, and HiBob. For anything else, SCIM or a webhook (POST with employee_id) lets you trigger from any system.
Does this cover contractors and temporary employees?
Yes — set the contract end date in advance and the revocation workflow fires automatically at that time. Contractors are where automation pays off the most, because their human-account deprovisioning is the one that gets forgotten most often.
What happens to credentials with no clear owner?
Those are not auto-revoked at offboarding — revoking a key whose creator is unknown can break something nobody is monitoring. Cremit moves those into a separate queue and sends an owner-mapping request to the security team. The unattributed share shrinks over time as that queue gets worked through.
Does this work for on-prem or air-gapped environments?
Yes — connectors for on-prem IAM, AD, self-hosted GitLab, Jenkins, and Vault. Air-gapped environments deploy via a self-hosted runner mode that does not require outbound internet access.